Almost everyone knows unsecured Internet of Things (IoT) devices could be catastrophic for their organization, yet just 29 percent actively monitor for related third-party risks, a new survey found.
There is growing awareness of IoT security threats but inaction when it comes to defending against third-party related threats.
The report, entitled “The Internet of Things (IoT): A New Era of Third-Party Risk,” was conducted by the Ponemon Institute and the Shared Assessments Program, the industry-standard body on third-party risk assurance.
Researchers asked more than 600 respondents about their perception of IoT risks and third-party risk management programs, as well as the strategies employed by their organizations to defend against IoT-related cyber attacks.
“The rapid adoption of IoT devices and applications is not slowing down and organizations need to have a clear understanding of the risks these devices pose both inside their own and outside their extended networks,” said Charlie Miller, senior vice president with the Shared Assessments Program.
Of concern is a lack of clear accountability when it comes to third-party IoT risk management.
Thirty-eight percent of respondents found nobody in their organization is responsible for reviewing the risk-management policies of third-party vendors, suggesting a tremendous leap of faith.
The problem is compounded by the fact, as many respondents indicated, C-level managers often don’t understand cyber-risks related to third-party vendors.
The following are some key takeaways:
The good news is awareness of IoT risks is increasing as IoT adoption continues to grow:
● The average number of IoT devices in the workplace is expected to increase by nearly 9,000 to an average of 24,762 devices
● 97 percent of respondents said an attack related to unsecured IoT devices could be catastrophic for their organization and 60 percent are concerned the IoT ecosystem is vulnerable to a ransomware attack
● 81 percent said a data breach caused by an unsecured IoT device is likely to occur in the next 24 months
● Only 28 percent said they currently include IoT-related risk as part of the third-party due diligence
IoT risk management practices are uneven:
● 49 percent of respondents do not keep an inventory of IoT devices and 56 percent do not keep an inventory of IoT applications, with 85 percent citing this is because of a lack of centralized control over these applications
● More than half (53 percent) of respondents rely on contractual agreements to mitigate third-party IoT risk, and only 46 percent said they have a policy in place to disable a risky IoT device
● 60 percent of respondents said their company has a third-party risk management program, but only 29 percent actively monitor for the risk of IoT devices used by third-parties
Gap between internal and third-party IoT monitoring Is substantial:
● 71 percent said their organizations consider third-party risk a serious threat to high value assets, and 60 percent said they have a third-party risk management program
● 26 percent of respondents admit they are unsure if their organization was affected by a cyber attack involving an IoT device, while 35 percent said they don’t know if it would be possible to detect a third-party data breach
● Almost half of all organizations said they are actively monitoring for IoT device risks within their workplace, but only 29 percent are actively monitoring for third-party IoT device risks
● 9 percent of respondents said they are fully aware of all the physical objects connected to the Internet